Forum Discussion

superd_88943's avatar
superd_88943
Icon for Nimbostratus rankNimbostratus
Aug 27, 2013

Forwarding VIP

Hi, I need a solution for a VIP, which will securely proxy traffic from my DMZ to LAN (via middle network where F5 lives), as direct communication is prohibited.

 

The goal ultimately is to have one server in DMZ talking to a range of different addresses on LAN (dest addresses cannot be tied down, and will change frequently), on a single port, and likely be encrypted. Also here will be no load balancing or NAT required, so im thinking a forwarding VIP will suit best for my requirements, with maybe a message filter to tie down to the DMZ source IP.

 

My concern is how secure is a forwarding VIP, as i really need a full proxy type VIP, so maybe im barking up the wrong three with forwarding VIP, or on the other hand is it possible to achieve my goal using standard/secure VIP? I already have a firewall in place, so if a forwarding rule is the same as a firewall rule, its pretty pointless. Thanks in advance!

 

design
vip
virtual server

3 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 27, 2013
    would need more details to be helpful. what protocol? you can have a standard 0.0.0.0: vip and could apply an iRule w/ a datagroup or a sideband service that has the list of internal IPs allowed and use a simply forward statement. WRT to security of a forwarding vip or a standard vip-there's no difference in security posture. Standard vip just needs a destination, whereas a forwarding vip will consult the routing table. You can do more with a standard vip wrt to security because you can apply profiles to get at the higher layers, but "just as" is no more secure than a forwarding vip.
  • superd_88943's avatar
    superd_88943
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013
    sorry for slow reply here jason.. thanks a lot for response, very helpful :)
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 05, 2013

    Moving comment to answer:

     

    would need more details to be helpful. what protocol? you can have a standard 0.0.0.0: vip and could apply an iRule w/ a datagroup or a sideband service that has the list of internal IPs allowed and use a simply forward statement.

     

    WRT to security of a forwarding vip or a standard vip-there's no difference in security posture. Standard vip just needs a destination, whereas a forwarding vip will consult the routing table. You can do more with a standard vip wrt to security because you can apply profiles to get at the higher layers, but "just as" is no more secure than a forwarding vip.